b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    The Customer Account Data Engine 2\n                  Program Management Office Implemented\n                 Systems Development Guidelines; However,\n                    Process Improvements Are Needed to\n                          Address Inconsistencies\n\n\n\n                                       September 30, Year\n\n                              Reference Number: 2011-20-127\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                  HIGHLIGHTS\n\n\nTHE CUSTOMER ACCOUNT DATA                             corruption. Improvements are still needed to\nENGINE 2 PROGRAM MANAGEMENT                           ensure Program consistency. Specifically:\nOFFICE IMPLEMENTED SYSTEMS                            1) systems development guidelines and related\nDEVELOPMENT GUIDELINES;                               processes were not consistently implemented by\n                                                      CADE 2 personnel, and 2) requirements and\nHOWEVER, PROCESS IMPROVEMENTS\n                                                      business rules were not sufficiently developed\nARE NEEDED TO ADDRESS                                 and traced to their sources before the CADE 2\nINCONSISTENCIES                                       exit of design activities. The IRS implemented\n                                                      corrective actions; however, some were not\n                                                      developed or completed prior to the conclusion\nHighlights                                            of our audit.\n\nFinal Report issued on                                WHAT TIGTA RECOMMENDED\nSeptember 30, 2011                                    TIGTA recommended that the Chief Technology\n                                                      Officer ensure project test plans are developed\nHighlights of Reference Number: 2011-20-127           timely; the Internal Revenue Manual and other\nto the Internal Revenue Service Chief                 guidelines are revised to include Program-level\nTechnology Officer.                                   test plans; and a comprehensive Integrated\nIMPACT ON TAXPAYERS                                   Master Schedule is developed. TIGTA also\n                                                      made recommendations for the IRS to improve\nThe mission of the Customer Account Data              the processes associated with managing\nEngine (CADE) 2 Program is to provide                 business rules and requirements.\nstate-of-the-art individual taxpayer account\nprocessing and technologies to improve service        In its response, the IRS agreed with four of\nto taxpayers and enhance Internal Revenue             TIGTA\xe2\x80\x99s five recommendations and indicated\nService (IRS) tax administration. Once                that corrective action had been completed. The\ncompleted, the new modernization environment          IRS disagreed with TIGTA\xe2\x80\x99s recommendation to\nshould allow the IRS to more effectively and          revise the Enterprise Life Cycle guidance,\nefficiently update taxpayer accounts, support         stating it is for project development and is not\naccount settlement and maintenance, and               intended to provide for detailed instructions on\nprocess refunds on a daily basis, all of which will   developing a Program-level test plan. Rather,\ncontribute to improved taxpayer services.             the IRS agreed to reconcile two systems\n                                                      development documents it considers as being\nWHY TIGTA DID THE AUDIT                               consistent with the purpose, scope, and timing\n                                                      of the Program Test Plan, and plans to maintain\nThe overall objective of this review was to           program-level guidance about the process.\ndetermine if the CADE 2 Program Management            TIGTA agrees this alternative approach\nOffice planned and provided oversight for             addresses the condition.\nTransition State 1 design activities in\naccordance with systems development                   The Chief Technology Officer also stated that\nguidelines, including applicable security             our finding regarding delays in developing the\nprovisions.                                           Program Test Plan appeared inaccurate, citing\n                                                      uncertainty or unfamiliarity with the Program\nWHAT TIGTA FOUND                                      Test Plan\xe2\x80\x99s content was not a factor in the\nThe CADE 2 Program Management Office                  decision to defer delivery. However, during our\nimplemented guidelines to cover key systems           audit fieldwork, CADE 2 Program Management\ndevelopment processes. Due to the critical            Office staff advised us that they were\nnature of the system to the IRS mission,              considering not completing the Program Test\n18 enhanced security controls above those             Plan, and only did so after TIGTA brought this to\nrequired by security guidelines were added to         the attention of the CADE 2 Director for Delivery\nthe CADE 2 system to help protect data from           Management.\nunauthorized access, modification, and\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 30, 2011\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Customer Account Data Engine 2 Program\n                             Management Office Implemented Systems Development Guidelines;\n                             However, Process Improvements Are Needed to Address\n                             Inconsistencies (Audit # 201020025)\n\n This report presents the results of our review of the Customer Account Data Engine 2 Program\n Management Office. Our overall objective was to determine if the Program Management Office\n planned and provided oversight for Transition State 1 design activities in accordance with\n systems development guidelines, including applicable security provisions. This review was\n requested by the Chief Technology Officer. It was included in our Fiscal Year 2011 Annual\n Audit Plan and addresses the major management challenge of Modernization.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix X.\n Copies of this report are also being sent to the Internal Revenue Service managers affected\n by the report recommendations. Please contact me at (202) 622-6510 if you have questions or\n Alan Duncan, Assistant Inspector General for Audit (Security and Information Technology\n Services), at (202) 622-5894.\n\x0c                                     The Customer Account Data Engine 2\n                                   Program Management Office Implemented\n                              Systems Development Guidelines; However, Process\n                             Improvements Are Needed to Address Inconsistencies\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          The Program Management Office Implemented\n          Procedures to Manage Systems Development\n          Activities and Ensure Executive Oversight .................................................. Page 4\n          Systems Development Processes and Program\n          Guidelines Were Not Always Consistent ..................................................... Page 7\n                    Recommendations 1 and 2: .............................................. Page 10\n\n                    Recommendation 3:........................................................ Page 12\n\n          Requirements Management Processes Were Not\n          Performed in Accordance With Established Guidelines ............................... Page 12\n                    Recommendations 4 and 5: .............................................. Page 14\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 19\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 20\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................ Page 21\n          Appendix V \xe2\x80\x93 Enterprise Life Cycle Overview ............................................ Page 22\n          Appendix VI \xe2\x80\x93 Customer Account Data Engine 2 Transition States............ Page 23\n          Appendix VII \xe2\x80\x93 Transition State 1 Integration Reviews .............................. Page 27\n          Appendix VIII \xe2\x80\x93 The Customer Account Data Engine 2 High and\n          Enhanced Requirements................................................................................ Page 29\n          Appendix IX \xe2\x80\x93 Glossary of Terms ................................................................ Page 32\n          Appendix X \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 36\n\x0c                 The Customer Account Data Engine 2\n               Program Management Office Implemented\n          Systems Development Guidelines; However, Process\n         Improvements Are Needed to Address Inconsistencies\n\n\n\n\n                    Abbreviations\n\nCADE          Customer Account Data Engine\nCCB           Configuration Control Board\nELC           Enterprise Life Cycle\nIMF           Individual Master File\nIMS           Integrated Master Schedule\nIRS           Internal Revenue Service\nReqPro        Rational RequisitePro\nTIGTA         Treasury Inspector General for Tax Administration\n\x0c                                   The Customer Account Data Engine 2\n                                 Program Management Office Implemented\n                            Systems Development Guidelines; However, Process\n                           Improvements Are Needed to Address Inconsistencies\n\n\n\n\n                                               Background\n\nIn August 2008, the Internal Revenue Service (IRS) Commissioner established the Modernized\nTaxpayer Account Program Integration Office to manage the transition of the current individual\nincome tax processing, which consists of multiple computer systems for processing tax returns,\npayments, and other transactions affecting taxpayer\naccounts, into a more consolidated system. Working in          The Customer Account Data\nconjunction with IRS business owners, the Program            Engine 2 Program is the highest\nIntegration Office decided to integrate elements from both   priority information technology\n                                   1\nthe existing Individual Master File (IMF) and current          modernization project in the\nCustomer Account Data Engine (CADE) processes into a            Internal Revenue Service.\nnew CADE 2 Program. The proposed plan incrementally\ntransfers taxpayer accounts from the current IMF and CADE processing systems to a new\nCADE 2 relational database.\nThe CADE 2 Program is the top information technology modernization project in the IRS. The\nCADE 2 strategy involves three phases:\n       \xe2\x80\xa2     Transition State 1. Modifies the IMF from a weekly cycle to daily processing;\n             establishes a new relational database to store all individual taxpayer account\n             information; and provides management tools to more effectively use data for\n             compliance and customer service. The IRS plans to implement Transition State 1 in\n             January 2012.\n       \xe2\x80\xa2     Transition State 2. Launches a single processing system where applications directly\n             access and update the taxpayer account database. It will continue efforts toward\n             addressing previously identified financial material weaknesses. The IRS plans to\n             implement Transition State 2 in January 2014.\n       \xe2\x80\xa2     Target State. Consists of a single system using elements of the IMF and current CADE,\n             eliminating all transitional applications used to link the current CADE, the IMF, and the\n             Integrated Data Retrieval System. The complete solution is also planned to address all\n             of the financial material weaknesses. As of April 28, 2011, the IRS had not established\n             a Target State implementation date.\nAppendix VI presents conceptual models for the As Is, Transition State 1 and 2, and Target State\nprocess flowcharts for individual income tax accounts.\n\n\n\n1\n    See Appendix IX for a glossary of terms.\n                                                                                               Page 1\n\x0c                                The Customer Account Data Engine 2\n                              Program Management Office Implemented\n                         Systems Development Guidelines; However, Process\n                        Improvements Are Needed to Address Inconsistencies\n\n\nThe CADE 2 Program Management Office was established with a mission to provide\nstate-of-the-art individual taxpayer account processing and technologies to improve service to\ntaxpayers and enhance IRS tax administration. It published a charter on January 28, 2010. The\nCADE 2 Program Management Office plans to create a modernized processing environment\nwhere applications both access and update an authoritative relational database to manage all\nindividual taxpayer accounts. The CADE 2 Program goals and scope are depicted in Figure 1.\n                         Figure 1: CADE 2 Program Goals and Scope\n\n                                          CADE 2 Program Goals\nEstablish a solid data foundation for the future by leveraging relational database processing\ncapability.\nAddress financial material weaknesses, demonstrate compliance with Federal Financial\nManagement System Requirements, and maintain a clean audit opinion.\nImprove security and privacy posture by addressing identified weaknesses.\nContinue the focus on moving away from 1960\xe2\x80\x99s technology (i.e., aging infrastructure,\napplications, and sequential flat file processing).\nDemonstrate substantive progress toward achieving long-term viability.\n\n\n                                       CADE 2 Program Scope\nEstablish the authoritative database for individual taxpayer accounts.\nReplace the current IMF and CADE applications with a single, state-of-the art solution.\nExpand the Integrated Production Model to include individual taxpayer accounts.\nProvide daily outputs to the Integrated Data Retrieval System and other downstream systems in\nsupport of daily processing.\nSource: CADE 2 Program Charter Version 1.0, dated January 28, 2010.\n\nTo implement Transition State 1, the IRS established two systems development projects and\ncompleted several prototypes. The objective of each prototype was to demonstrate confidence in\nthe CADE 2 approach by verifying system viability and performance and defining components\nto serve as the foundation for development activities. The Treasury Inspector General for Tax\nAdministration (TIGTA) issued a report on the results of the prototypes on November 24, 2010.2\n\n\n\n2\n Prototype Process Improvements Will Benefit Efforts to Modernize Taxpayer Account Administration (Reference\nNumber 2011-20-001, dated November 24, 2010).\n                                                                                                      Page 2\n\x0c                               The Customer Account Data Engine 2\n                             Program Management Office Implemented\n                        Systems Development Guidelines; However, Process\n                       Improvements Are Needed to Address Inconsistencies\n\n\nIn addition, the TIGTA has recently completed audits covering the two CADE 2 systems\ndevelopment projects\xe2\x80\x94Daily Processing and Database Implementation.3\nThis review was requested by the Chief Technology Officer and was performed at the\nModernization and Information Technology Services organization facilities in New Carrollton,\nMaryland, during the period April 2010 through May 2011. During audit fieldwork, the TIGTA\nconcurrently advised CADE 2 Program officials when issues were identified and suggested\ncorrective actions. The CADE 2 Program Management Office implemented several management\ncorrective actions during the course of the audit. The TIGTA communicated interim audit\nresults and recommendations for improvement to the Associate Chief Information Officer for\nModernization \xe2\x80\x93 Program Management Office on February 24, 2011, and April 14, 2011.\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n3\n The Customer Account Data Engine 2 Is Making Progress Toward Achieving Daily Processing, but Improvements\nAre Warranted to Ensure Full Functionality (Reference Number 2011-20-109, dated September 28, 2011), and\nThe Customer Account Data Engine 2 Database Implementation Project Made Progress in Design Activities, but\nImprovements Are Needed (Reference Number 2011-20-110, dated September 20, 2011).\n                                                                                                   Page 3\n\x0c                                  The Customer Account Data Engine 2\n                                Program Management Office Implemented\n                           Systems Development Guidelines; However, Process\n                          Improvements Are Needed to Address Inconsistencies\n\n\n\n\n                                      Results of Review\n\nThe Program Management Office Implemented Procedures to Manage\nSystems Development Activities and Ensure Executive Oversight\nThe CADE 2 Program Management Office has taken initial steps to reduce the risks associated\nwith using new techniques and processes in the Modernization Program. The CADE 2 Program\nis sponsored by the IRS Commissioner, Deputy Commissioners, Chief Technology Officer, and\nWage and Investment Division Commissioner. These sponsors have established organizational\ncommitments and a governance structure to assist in meeting CADE 2 Program goals.\nEstablishment of a governance structure is important to the success of the CADE 2 Program, as it\nensures high-level IRS officials oversee and approve critical aspects of systems development.\nThe CADE 2 Program Management Office ensured the Program Charter established a\ngovernance model and procedures and that governance groups, including the Executive Steering\nCommittee and Governance Board, were fully engaged in these processes.\nThe Chief Technology Officer oversees the Executive Steering Committee, whose members\ninclude the Chief Information Officer of the Department of the Treasury and the Commissioner\nof the IRS Wage and Investment Division. This Committee provides oversight to ensure\nalignment of the CADE 2 Program and the IRS Strategic Plan and approves decisions having\nsignificant organizational or external impact, such as changes to Program goals or policy\nrequirements.\nThe Associate Chief Information Officer for Modernization \xe2\x80\x93 Program Management Office\noversees the Governance Board, whose members include the Business Modernization Executive\nof the IRS Wage and Investment Division. The Board maintains the CADE 2 Program scope,\nprovides guidance, removes obstacles, and cultivates organizational commitment at all levels.\nThe CADE 2 Program Management Office developed the Program Framework to supplement the\nEnterprise Life Cycle (ELC).4 The Program Framework establishes guidance for a single\nProgram Management Office to manage multiple, ongoing information technology systems\ndevelopment projects by defining necessary life cycle phases, activities, and review points.\nAdherence to Program Framework guidelines is monitored through key systems development\nprocesses and recurring Program-level meetings.\n\n\n\n\n4\n    See Appendix V for an overview of the ELC.\n                                                                                         Page 4\n\x0c                             The Customer Account Data Engine 2\n                           Program Management Office Implemented\n                      Systems Development Guidelines; However, Process\n                     Improvements Are Needed to Address Inconsistencies\n\n\nManagement oversight processes were established\nThe CADE 2 Program Management Office established oversight meetings and guidelines for key\nsystems development processes to ensure efficient and effective program management.\nSpecifically:\n   \xe2\x80\xa2   Program-level oversight meetings: The CADE 2 Program Management Office\n       established oversight processes which include quarterly and monthly briefings to the\n       Chief Technology Officer and a series of weekly, biweekly, and monthly meetings\n       between Program Management Office executives, staff, and project teams. Cybersecurity\n       organization personnel participated in CADE 2 Program weekly meetings to provide\n       early insight into the identification and development of required security controls.\n       The Executive Steering Committee meets quarterly, while the Chief Technology Officer\n       receives monthly status briefings. In addition, monthly meetings are held to discuss risks\n       and issue management, and weekly meetings are held for a review over activities and\n       progress on the Integrated Master Schedule (IMS). The CADE 2 Program Management\n       Office established several integration reviews to ensure the Program was making\n       appropriate progress across all activities within a transition state and moving in an\n       integrated way towards the defined transition state solution. Appendix VII presents the\n       integration reviews and their purposes.\n   \xe2\x80\xa2   Guidelines for key systems development processes were issued: The CADE 2 Program\n       Management Office issued guidelines to cover key processes. The CADE 2 Program\xe2\x80\x99s\n       core description document is presented in the Solution Architecture, which provides a\n       solution that responds to the objectives and capabilities described in the CADE 2\n       Program Charter. Guidelines were also issued for critical processes such as requirements\n       management, risk and issue management, and configuration management.\n\nEnhanced security controls are planned for the CADE 2 system\nThe CADE 2 Governance Board approved the Milestone 3 exit in December 2010. As part of\nthis exit process, the Program Management Office prepared two artifacts pertaining to security\ncontrols for the CADE 2 system\xe2\x80\x94the Security Strategy and the Security Framework. The\nSecurity Framework provides a high-level view of security and sets the tone of the information\nsecurity solution throughout the Program. More detailed strategies will be presented in other\nProgram-level and project-level documents. The Security Strategy outlines the IRS\xe2\x80\x99s plans for\napplying resources to mitigate the security risks of developing, implementing, and operating the\nCADE 2 system.\nAs previously mentioned, Transition State 1 includes two major changes: establishing a\nrelational database and moving to daily processing of the IMF. According to the Security\nFramework document, since the IMF will not undergo any major changes to its architecture, the\n\n\n                                                                                          Page 5\n\x0c                                The Customer Account Data Engine 2\n                              Program Management Office Implemented\n                         Systems Development Guidelines; However, Process\n                        Improvements Are Needed to Address Inconsistencies\n\n\nsecurity controls will largely remain as they currently exist. The Security Framework, however,\nwill apply to the new database system and its components.\nBoth the Security Strategy and Security Framework documents outline the IRS\xe2\x80\x99s plans to\nprovide for enhanced security controls due to the sensitive nature of the taxpayer data stored in\nthe CADE 2 system. The IRS determined that the aggregation of taxpayer information,\nnumbering in excess of 130 million individual records, warrants an enhanced level of security\ncontrols to help protect CADE 2 system data. The loss or theft of this data would significantly\ndamage taxpayers, as well as hurt the IRS\xe2\x80\x99s reputation. To mitigate this risk, the IRS intends to\nimplement enhanced security controls. These controls exceed the minimum guidelines required\nby the Recommended Security Controls for Federal Information Systems and Organizations\n(National Institute of Standards and Technology Special Publication 800-53, Revision 3).\nFurther, the IRS will adopt a data-centric security approach whereby the focus will be on\nassessing and mitigating the risk to the data stored on the system versus the risk to the system\nitself.\nThe enhanced controls will be chosen using a risk-based approach. In other words, the cost of\nimplementing the control should not exceed the benefit derived from the control. The\nCybersecurity organization team identified 18 enhanced security controls that are being added\nabove and beyond the moderate baseline required by National Institute of Standards and\nTechnology.5 This enhanced set of requirements helps protect CADE 2 system data from\nunauthorized access, modification, and corruption. Several of these enhanced security control\nfeatures will protect information from unauthorized use or access to IRS resources and applies\naccess restrictions to changes to the system, including upgrades and modifications that can\npotentially have significant effects on the security of the system. We plan to evaluate the\nadequacy of the security controls during a future audit of the CADE 2 system.\n\nIndependent government cost estimates were effectively used during contract\nnegotiations\nIn response to a TIGTA audit recommendation in May 2005, the IRS continues to obtain\nindependent Federal Government cost estimates to provide contracting officers with essential\nknowledge needed to evaluate and negotiate contract proposals.6 During a subsequent review in\nJuly 2007, the TIGTA reported an actual cost savings that resulted when the IRS obtained an\nindependent Federal Government cost estimate.7\n\n\n5\n  See Appendix VIII for a complete list of the 18 Customer Account Data Engine 2 High and Enhanced\nRequirements.\n6\n  While Many Improvements Have Been Made, Continued Focus Is Needed to Improve Contract Negotiations\nand Fully Realize the Potential of Performance-Based Contracting (Reference Number 2005-20-083, dated\nMay 26, 2005).\n7\n  While Improvements Continue in Contract Negotiation Methods and Management Practices, Inconsistencies\nNeed to Be Addressed (Reference Number 2007-20-123, dated July 27, 2007).\n                                                                                                     Page 6\n\x0c                               The Customer Account Data Engine 2\n                             Program Management Office Implemented\n                        Systems Development Guidelines; However, Process\n                       Improvements Are Needed to Address Inconsistencies\n\n\nDuring this current audit, we reviewed 6 of 19 CADE 2 Program contracts and determined that\nall of the acquisition teams prepared an independent Federal Government cost estimate for Fiscal\nYears 2010 and 2011. However, 2 of the 6 teams provided written documentation for a realized\ncost savings of approximately $11.5 million as a result of obtaining independent estimates.8\n\nSystems Development Processes and Program Guidelines Were Not\nAlways Consistent\nThe CADE 2 Program Management Office issued guidelines for key systems development\nprocesses and convened numerous meetings to provide oversight for the work being performed.\nAs status meetings were convened, it became evident to CADE 2 Program Management Office\nofficials there was a significant challenge involved in assembling diverse processes into a\ncomprehensive set of activities that would be well understood and consistently applied across the\nProgram and the projects. While Program guidelines specified the systems development\nprocedures, the guidelines and the actual processes performed by the project teams were not\nalways consistent.\nThe CADE 2 Program Management Office needs to improve controls to ensure that systems\ndevelopment guidelines and processes are consistently performed. The CADE 2 Program\nManagement Office stated that two factors contributed significantly to the inconsistent practices\nidentified. Specifically, the CADE 2 Program:\n      (1) Introduced a new business model for the development of information technology projects\n          within the Modernization and Information Technology Services organization. In\n          summary, the CADE 2 Program represents the first instance a Program Management\n          Office is responsible for providing directions and oversight to multiple, ongoing\n          information technology development projects. As a result, the IRS issued revised\n          guidelines for most of the systems development disciplines.\n      (2) Created a new way to perform each systems development discipline. This essentially\n          created a cultural change in the way the IRS traditionally developed information\n          technology projects. One critical aspect has been to incorporate and ensure\n          Program-level and project-level personnel understand new emerging roles and\n          responsibilities; therefore, CADE 2 Program Management Office leadership stated that\n          personnel will need time to mature into these revised roles and processes.\nThe CADE 2 Program Management Office needs to ensure consistent practices in risk\nmanagement, configuration management, test guidance, and the IMS.\n\n\n\n\n8\n    See Appendix IV.\n                                                                                           Page 7\n\x0c                              The Customer Account Data Engine 2\n                            Program Management Office Implemented\n                       Systems Development Guidelines; However, Process\n                      Improvements Are Needed to Address Inconsistencies\n\n\nRisks were not consistently identified and managed\nThe CADE 2 Program Management Office risk and issue management guidelines are designed to\nestablish a continuous process to identify and mitigate risks as early as possible. Procedures\nrequire personnel at both the Program and project levels to identify and assess risks and to\ncontrol these risks in the Item Tracking Reporting and Control system. Although Program-level\nrisks were being identified and controlled in the system, project-level risks were not. For\nexample, the CADE 2 Program Item Tracking Reporting and Control Risk Log used during the\nmonthly risk and issue management meeting on January 6, 2011, contained 10 Program-level\nrisks and no project-level risks.\nWe judgmentally selected and reviewed 11 of 13 active risks contained on the CADE 2 Program\nconsolidated Risk Watch List dated February 8, 2011, to determine if risk analysis, risk\nmitigation plans, and monitoring were performed for each risk. The CADE 2 Program\nManagement Office ensured risks were analyzed, mitigation plans were developed, and actions\nwere monitored for all 11 risks sampled. However, undocumented risks could adversely affect\nthe design activities, requirements development, systems performance, and delivery of the\nCADE 2 system.\nThe CADE 2 Program Management Office did not ensure project teams were following the\nestablished risk and issue management guidelines. The CADE 2 Director for Program\nManagement and Control acknowledged inconsistencies in risk management practices, stating\nthat there are formal risk tracking procedures at the Program level, but not at the project level.\nAs a result, the Director explained that revisions to the risk management process would include:\n   \xe2\x80\xa2   Making the process more transparent. Risks identified would no longer be designated as\n       either a Program-level risk or a project-level risk.\n   \xe2\x80\xa2   Implementing a common process. In the revised process, each risk would be subject to\n       the same Program-level evaluation and review process.\n   \xe2\x80\xa2   Developing a consolidated list of risks. The list would capture all identified risks and be\n       monitored at monthly risk management meetings. After Program-level evaluation,\n       validated risks will be entered into the Item Tracking Reporting and Control system.\nManagement Action: The CADE 2 Program Management Office revised both the CADE 2\nRisk and Issue Management Process and Risk and Issue Management Plan. In addition, the Risk\nWatch List was completed following our discussion with management regarding the inconsistent\ntracking of risks. This list captures all risks and is discussed at the monthly risk and issue\nmanagement meetings. We reviewed a copy of this list after it was developed, as discussed\nabove.\n\n\n\n\n                                                                                            Page 8\n\x0c                              The Customer Account Data Engine 2\n                            Program Management Office Implemented\n                       Systems Development Guidelines; However, Process\n                      Improvements Are Needed to Address Inconsistencies\n\n\nConfiguration management and requirements management guidelines were not\naligned with the change management process\nThe Configuration Management Plan and Requirements Management Plan were not aligned to\nestablish the overall proper Configuration Control Board (CCB) authority. Configuration\nmanagement involves establishing proper control over approved project products such as\ndocumentation, hardware, and software and assuring their changes are authorized, controlled,\nand tracked. Ensuring proper control over project products involves establishing baselines,\nwhich are an agreed-upon description of the attributes or characteristics of a product at a point in\ntime. All baseline products are under configuration control to formally protect them from\nunwarranted and uncontrolled changes. These baseline products serve as the basis for future\ndevelopment and can be changed only when authorized by the CCB. According to the CADE 2\nConfiguration Management Plan, proposed changes to baseline products should be documented\nusing a change request form, and no changes are made to the products until the changes are\napproved by the CCB.\nThe CADE 2 Program Management Office ensured that changes to baseline products were\ndocumented on change request forms. However, the Configuration Management Plan and\nRequirements Management Plan were not aligned with the change management process. Both\nguidelines stated there were three CCBs, one for the CADE 2 Program and two for the CADE 2\nprojects. The CADE 2 Program Management Office Director for Delivery Management stated\nthat only one CCB existed to approve changes to CADE 2 products.\nInitially, the CADE 2 Program Management Office believed change requests needed to be\naddressed at both the Program and project levels separately, but it realized this added an\nunnecessary extra level of work and decided to use only one CCB for approving changes to\nbaseline products at both Program and project levels. However, the CADE Program\nManagement Office did not ensure the Configuration Management Plan or Requirements\nManagement Plan were timely updated to reflect this new process. When guidelines do not align\nwith the actual processes, unauthorized changes could occur, which may adversely affect the\nsystem and delay implementation of the CADE 2 system in January 2012.\nManagement Action: The CADE 2 Program Management Office revised the Configuration\nManagement Plan and the Requirements Management Plan to reflect that one CCB maintains\nsole change approval authority for all baseline products developed for the CADE 2 system.\n\nThe CADE 2 Program Test Plan was not initially developed to provide needed\nguidance for testing activities\nThe CADE 2 Program Management Office did not initially have a Program Test Plan and, as a\nresult, experienced multiple delays in developing the Program Test Plan. The CADE 2 Program\nManagement Office, in partnership with the Enterprise Systems Testing office, plans and\nexecutes the testing activities required to verify and validate the overall CADE 2 Transition\nState 1 solution. The CADE 2 Program Test Strategy requires the development of the CADE 2\n                                                                                             Page 9\n\x0c                             The Customer Account Data Engine 2\n                           Program Management Office Implemented\n                      Systems Development Guidelines; However, Process\n                     Improvements Are Needed to Address Inconsistencies\n\n\nProgram Test Plan and states that the Plan will describe the next level of detail for testing the\nsystem. This testing will include descriptions of the common elements among the testing\nprojects and will specify CADE 2 project test plans. The CADE 2 Program Management Office\nstaff held discussions to consider whether the Program Test Strategy was sufficient to replace the\nProgram Test Plan. Although the Strategy requires detailed testing guidance be provided in a\ntest plan, it focuses on the Program level and does not provide detailed test procedures or\ninformation about testing at the project level. The lack of a documented Program Test Plan\noccurred partially because the Enterprise Systems Testing office had never created a Program\nTest Plan prior to the CADE 2 Program. Additionally, since this Program Test Plan is new, the\nInternal Revenue Manual had not yet been updated to include detailed instructions for\ndeveloping a Program-level test plan. We advised the CADE 2 Director for Delivery\nManagement that the Program Test Plan was a valuable control the project teams need for\ndevelopment of their detailed project test plans. If the CADE 2 project teams do not receive\nsufficient guidance on developing their test plans, the CADE 2 system may not be properly\ntested and the system may not work as intended when deployed into IRS operations.\nManagement Action: The CADE 2 Program Management Office developed the Program\nTest Plan, which includes due dates for delivery of each project test plan.\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 1: Ensure that each project test plan is developed timely to allow sufficient\ntime for preparation of testing materials.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated that test plans supporting the CADE 2 and affected systems are prepared in\n       accordance with applicable Internal Revenue Manual guidance, which states when test\n       plans must be prepared and delivered. Specifically, Internal Revenue Manual 2.6.1.4.2.9\n       states that project-level Systems Acceptability Test Plans must be delivered to all\n       stakeholders at least 14 calendar days before application program delivery. While the\n       Internal Revenue Manual does not provide explicit guidance for Final Integration Test\n       Plan delivery, the same 14-day delivery requirement is maintained. For test types that are\n       not covered by the Internal Revenue Manual or equivalent established guidance, the\n       timing of Test Plan delivery is determined during Program or project planning.\nRecommendation 2: Ensure that Internal Revenue Manual 2.16.1, Enterprise Life Cycle\nGuidance, includes detailed instructions on how to develop a Program-level test plan.\n       Management\xe2\x80\x99s Response: The IRS disagreed with this recommendation. The IRS\n       stated that the ELC is for project development and is not intended to provide for detailed\n       instructions on developing a Program-level test plan. The CADE 2 Program\n\n                                                                                          Page 10\n\x0c                             The Customer Account Data Engine 2\n                           Program Management Office Implemented\n                      Systems Development Guidelines; However, Process\n                     Improvements Are Needed to Address Inconsistencies\n\n\n       Management Office will reconcile the System Validation & Verification Plan and the\n       System Test Plan, which are generally consistent in purpose, scope, and timing as the\n       CADE 2 Program Test Strategy and Program Test Plan, respectively, and maintain\n       Program-level guidance regarding their development and usage. In the interim, the\n       existing Transition State 1 Program Test Plan will be used as a template.\n       Office of Audit Comment: In the memorandum transmitting IRS management\xe2\x80\x99s\n       response to the draft report, the Chief Technology Officer stated that the finding that the\n       Program Test Plan was delivered late appears to be inaccurate. The Chief Technology\n       Officer provided a chronology of activities undertaken to prepare the Program Test Plan,\n       and stated that a decision was made by Enterprise Systems Testing management, and\n       agreed to by the CADE 2 Program Management Office, to defer delivery of the Program\n       Test Plan to allow time to incorporate additional design information as it was being\n       developed. The Chief Technology Officer ends by saying uncertainty or unfamiliarity\n       with the content or structure of the Program Test Plan did not impede development by the\n       Enterprise Systems Testing office and was not a factor in the decision to defer delivery.\n       However, during the TIGTA\xe2\x80\x99s audit fieldwork, the CADE 2 Program Management\n       Office staff advised they were considering not completing the Program Test Plan, and\n       only did so after we brought this to the attention of the CADE 2 Director for Delivery\n       Management. Although the IRS disagreed with our recommendation, management\n       offered an alternative corrective action. We agree this alternative approach addresses the\n       condition.\n\nThe Integrated Master Schedule did not include all the activities required by\nestablished guidelines\nThe CADE 2 Program Management Office did not ensure a comprehensive master schedule was\ndeveloped in accordance with established guidelines. The IMS is designed to capture and\nmaintain tasks, milestones, activities, and dependencies over the course of a program or project\nlifecycle. The CADE 2 Integrated Schedule Management Process, dated May 26, 2010, defines\nthe approach to developing and maintaining the IMS. Specifically, the Program Management\nOffice is responsible for preparing the IMS, and project teams are responsible for preparing,\nmaintaining, and updating supporting schedules. Currently, the IMS and supporting schedules\nare managed and maintained on a SharePoint web site. The CADE 2 IMS was not complete, as\nit did not include significant activities for several milestones. For example, the IMS did not\ninclude the CADE 2 Milestone 4b exit date or Milestone 5 deployment date of January 2012.\nAdditionally, participants in several weekly CADE 2 Program meetings were unsure whether\nthey had the most current version of the IMS due to missing activities/tasks.\nThe CADE 2 Director for Delivery Management stated that the IMS process was new for the\nCADE 2 Program; therefore, it would take time for stakeholders to use this new process. The\ncritical path is designed to sequence IMS activities for timely completion; however, without a\ncomprehensive IMS, the critical path could be inaccurate. A complete and integrated IMS is\n                                                                                          Page 11\n\x0c                             The Customer Account Data Engine 2\n                           Program Management Office Implemented\n                      Systems Development Guidelines; However, Process\n                     Improvements Are Needed to Address Inconsistencies\n\n\nnecessary at all times to ensure stakeholders are aware of significant systems development\nactivities and to assure the January 2012 CADE 2 system scheduled deployment date is not\ndelayed.\n\nRecommendation\nThe Chief Technology Officer should:\nRecommendation 3: Ensure the IMS includes all key activities associated with the\ndevelopment and deployment of the CADE 2 system, including the Daily Processing and\nDatabase Implementation Projects.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The CADE 2\n       Program Management Office engaged all delivery partners in the rebaseline of the\n       Milestone 4b IMS. This included conducting multiple cross-functional work sessions\n       with stakeholders to ensure all key activities were included and to identify dependencies\n       and alignment of dates.\n\nRequirements Management Processes Were Not Performed in\nAccordance With Established Guidelines\nRequirements are used to define specific business and technical functionalities that are needed\nfrom a system. The CADE 2 Requirements Management Plan is the primary source for\ninformation on activities, responsibilities, and resources used to manage, monitor, and control\nrequirements of the CADE 2 system. The Requirements Management Plan identifies\nrequirements traceability as a key component of requirements management. It also requires that\nthe CADE 2 Program Management Office report monthly on requirements management\nmeasures and metrics. This reporting includes measures such as requirements traceability and\nmetrics that identify requirements changes and the number of untraced requirements.\nThe Rational RequisitePro (ReqPro) automated tool is the IRS Enterprise Architecture standard\nfor requirements management. All CADE 2 Program, project, and stakeholder personnel should\nuse ReqPro to create, manage, and control requirements and to maintain traceability across the\nProgram and projects. ReqPro can generate a Requirements Traceability Matrix to record and\ntrack requirements.\nAll CADE 2 system requirements were not sufficiently traced prior to the Milestone 3 exit.\nAdditionally, the ELC required business rules be gathered and completed during Milestone 3;\nhowever, they were still being developed after the December 2010 Milestone 3 exit. Factors\ncontributing to the untraced requirements include:\n   \xe2\x80\xa2   Business rules were not timely completed \xe2\x80\x93 The CADE 2 Program Management Office\n       did not ensure business rules were gathered from all sources and input into ReqPro prior\n\n                                                                                        Page 12\n\x0c                             The Customer Account Data Engine 2\n                           Program Management Office Implemented\n                      Systems Development Guidelines; However, Process\n                     Improvements Are Needed to Address Inconsistencies\n\n\n       to the Milestone 3 exit. For example, when the Milestone 3 exit occurred, the business\n       rule that determines eligibility of accounts for daily processing was not developed. This\n       issue can affect any number of individual taxpayer accounts, consequently impinging\n       upon CADE 2 system performance. The January 2011 ReqPro traceability matrix\n       contained approximately 3,664 (93 percent) of 3,944 customer requirements not traced to\n       business rule sets and 8 (9 percent) of 89 business rule sets not traced to customer\n       requirements. Without business rules, these customer requirements may not effectively\n       function. Additionally, new business rules developed after the Milestone exit could also\n       require development of additional customer requirements.\n       The CADE 2 Director for Delivery Management stated that adherence to the ELC\n       Program Framework resulted in business rules not being fully developed by the\n       Milestone 3 exit. Specifically, the Framework combined both Milestones 3 and 4a into\n       an April 2011 exit, resulting in all activities being structured around that one exit.\n       However, due to budget issues, Milestone 3 was subsequently separated into an exit time\n       period of December 2010. Although the CADE 2 Program Management Office ensured\n       key activities and products were identified, business rules were not completed prior to the\n       new Milestone 3 exit. The risk of incomplete business rules could contribute to untraced\n       requirements, which may adversely impact systems design and testing activities.\n   \xe2\x80\xa2   Requirements management processes were not followed \xe2\x80\x93 Historically, IRS offices\n       managed requirements internally through Excel spreadsheets and automated requirements\n       tools. With the onset of ReqPro, the CADE 2 Program Management Office implemented\n       processes and provided instructions to IRS stakeholders for accurate requirements input\n       into this management tool. However, the CADE 2 Director for Delivery Management\n       stated that these new processes, roles, and responsibilities presented a cultural change for\n       personnel and that some stakeholders were struggling with this adjustment.\n       For example, after requirements were baselined in ReqPro, Cybersecurity organization\n       and Enterprise Operations personnel continued to develop requirements outside of\n       ReqPro. Primarily, the Cybersecurity organization extracted requirements from ReqPro\n       into an Excel spreadsheet, where they were managed and imported back into ReqPro.\n       Use of this method created a situation where security requirements were very unstable.\n       As a result, 1,137 security requirement discrepancies were created. Additionally, security\n       requirements previously approved in ReqPro prior to their extraction resurfaced as not\n       being approved when they were imported back into the system. During our review, these\n       discrepancies were still being addressed by the Cybersecurity organization.\nThe risk of incomplete, missing, or invalid requirements could adversely affect CADE 2 system\ndesign and testing activities and could delay the scheduled January 2012 system deployment.\nWe plan to review the stability and traceability of all requirements, including security\nrequirements, during our CADE 2 system testing audit.\n\n\n                                                                                           Page 13\n\x0c                             The Customer Account Data Engine 2\n                           Program Management Office Implemented\n                      Systems Development Guidelines; However, Process\n                     Improvements Are Needed to Address Inconsistencies\n\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 4: Ensure all requirements and business rules are identified and\nsufficiently traced, controlled, and managed in ReqPro prior to initiating any CADE 2 system\ntesting processes to ensure the system functions as designed when deployed into IRS operations.\nThis should include the Daily Processing and Database Implementation Projects.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated it has already stood up the CADE 2 Program ReqPro repository, which contains\n       requirements and business rules for the Daily Processing and Database Implementation\n       Projects, in November 2010. All requirements are tracked vertically down the hierarchy,\n       and horizontally to other disciplines such as Configuration Management and Design,\n       through reference requirements. All infrastructure requirements are housed in the\n       Infrastructure Architecture & Engineering logical CADE 2 ReqPro repository, which also\n       includes requirements for the Database Implementation and Daily Processing Projects.\n       These requirements are traced to the CADE 2 Program ReqPro repository through\n       cross-project traceability.\n       The CADE 2 Program Management Office also drafted a Program Requirements\n       Management Plan, which outlined the processes for managing requirements and tracing\n       requirements. They also conducted a Program Integrated Requirements Review in\n       December 2010 to ensure that all requirements were traced and complete in the CADE 2\n       Program ReqPro repository, including ensuring there was cross-project traceability\n       between the Infrastructure Architecture & Engineering repository and the CADE 2\n       Program ReqPro repository. The CADE 2 Program Management Office also regularly\n       monitors the data in the repository and presents metrics, such as requirements counts,\n       requirements completeness, and untraced requirements, to delivery partners during\n       weekly Integrated Requirements Team meetings. For any requirements that are not\n       traced, an action is given to the project to establish the trace.\nRecommendation 5: Implement controls to ensure that CADE 2 Program stakeholders:\n   a. Cannot remove and work on requirements outside of ReqPro.\n   b. Use ReqPro to create, input, and control requirements.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Since\n       implementation of the CADE 2 Requirements repository, Requirements and Demand\n       Management requirements analysts have begun working directly in ReqPro, using\n       ReqPro to input and control requirements. However, prior to baselining the requirements\n       and establishing configuration control, it was essential that the IRS have a tool to assist\n       with creating the requirements. The Requirements and Demand Management provides\n\n                                                                                          Page 14\n\x0c                     The Customer Account Data Engine 2\n                   Program Management Office Implemented\n              Systems Development Guidelines; However, Process\n             Improvements Are Needed to Address Inconsistencies\n\n\nbusiness-friendly tools (compatible with ReqPro) which enable creation of requirements\nthat can be imported into ReqPro. Requirements imported into ReqPro are considered\nbaselined and under configuration management control. All changes to requirements are\nperformed using change requests, and the program requirements team ensures that the\nrequirements are input and controlled within ReqPro by using the change requests\ntracking spreadsheet. The change request tracking spreadsheet records the actions taken\nto create or update a requirement based on a change request. Requirements can be\nexported from ReqPro for reporting purposes only and are not manipulated.\nRequirements analysts have also been trained on working within ReqPro, and a monthly\nUser Group meeting is held to train users on advanced topics on the use of ReqPro.\n\n\n\n\n                                                                                Page 15\n\x0c                                   The Customer Account Data Engine 2\n                                 Program Management Office Implemented\n                            Systems Development Guidelines; However, Process\n                           Improvements Are Needed to Address Inconsistencies\n\n\n                                                                                     Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine if the CADE1 2 Program Management\nOffice planned and provided oversight for Transition State 1 design activities in accordance with\nsystems development guidelines, including applicable security provisions.\nTo accomplish the overall objective, we:\nI.         Determined whether the CADE 2 Program Management Office provided effective\n           oversight and directions for Transition State 1 design activities of both the Program and\n           project activities. As appropriate, we conducted interviews of IRS personnel, attended\n           Program meetings, requested documentation of processes and procedures, and performed\n           analysis.\n           A. Identified key personnel, including CADE 2 Program executives, directors, and\n              managers, through review of the organization chart and attending meetings.\n           B. Obtained documentation explaining the roles and responsibilities of key CADE 2\n              Program personnel.\n           C. Determined the processes and procedures used by the CADE 2 Program Management\n              Office to manage Program and project activities, including providing formal\n              directions and oversight and monitoring progress, problems, and corrections.\n               1. Documented Program-level procedures and meeting requirements.\n               2. Documented formal guidance issued or communicated to project staffs by the\n                  CADE 2 Program Management Office.\n           D. Verified that a governance process was established and that guidance was issued for\n              the CADE 2 Program Management Office and project staffs to follow in fulfilling\n              governance activities and making decisions affecting the CADE 2 Program.\n               1. Identified the members and names of governance bodies.\n               2. Reviewed governance guidance that communicated the procedures and processes\n                  used by Program and project personnel to make decisions and elevate project\n                  changes, risks, and issues from the project level to the Program level.\n\n\n\n\n1\n    See Appendix IX for a glossary of terms.\n                                                                                            Page 16\n\x0c                                  The Customer Account Data Engine 2\n                                Program Management Office Implemented\n                           Systems Development Guidelines; However, Process\n                          Improvements Are Needed to Address Inconsistencies\n\n\nII.        Determined whether the CADE 2 Program Management Office established key Program\n           areas and processes in accordance with systems development guidelines. As appropriate,\n           we conducted interviews of IRS personnel, attended Program/project meetings, requested\n           documentation of processes and procedures, and performed analysis in the following key\n           Program areas.\n           A. Reviewed the IMS to determine whether it included key project activities.\n           B. Reviewed the Program Charter and the Program Management Plan.\n           C. Obtained risk and issue management documentation.\n               1. Reviewed the Risk and Issue Management Plan, the Risk and Issue Management\n                  Process document, and Risks Logs.\n               2. Judgmentally selected and reviewed 11 of 13 active risks contained on the\n                  CADE 2 consolidated Risk Watch List dated February 8, 2011, to determine if\n                  risk analysis, risk mitigation plans, and monitoring were performed for each risk.\n                  We used a judgmental sample because we were not planning to project our\n                  results.\n           D. Obtained the requirements management documentation.\n               1. Reviewed the Requirements Management Plan, the Solution Architecture, and the\n                  Program Roadmap.\n               2. Reviewed and analyzed the Milestone 32 baseline Requirements Traceability\n                  Matrix from the Rational RequistePro application.\n           E. Obtained and reviewed the Configuration Management Plan, the Change Request\n              Log, and change requests.\n           F. Reviewed Program testing documentation to ascertain if the CADE 2 Program\n              Management Office provided sufficient guidance for project teams to prepare detailed\n              test plans.\nIII.       Identified and reviewed security guidelines and requirements applicable to the CADE 2\n           Program Management Office, including the supporting projects. As appropriate, we\n           conducted interviews of IRS personnel (including those in Cybersecurity organization),\n           attended Program meetings, requested documentation of processes and procedures, and\n           performed analysis.\n           A. Identified key IRS personnel and their roles and responsibilities in designing security\n              features for the CADE 2 system by reviewing organization charts and other CADE 2\n              system security documents.\n\n2\n    See Appendix V for an overview of the ELC.\n                                                                                              Page 17\n\x0c                             The Customer Account Data Engine 2\n                           Program Management Office Implemented\n                      Systems Development Guidelines; However, Process\n                     Improvements Are Needed to Address Inconsistencies\n\n\n       B. Reviewed the security and privacy guidelines applicable to the CADE 2 system.\n       C. Identified and reviewed security requirements in the following CADE 2 Program\n          documentation: the Security Framework, Security Strategy, Program Roadmap,\n          Solution Architecture, and security requirements for supporting projects in the\n          Business Systems Report and Business Systems Requirements Report.\n       D. Determined whether the security controls were included in CADE 2 system\n          documentation early enough in the systems development life cycle to be cost\n          effective.\n       E. Determined whether the security categorization the IRS assigned to the CADE 2\n          system was documented and supported.\nIV.    Reviewed the CADE 2 Program contracts applicable to both the Program and the projects\n       to determine if the IRS sufficiently protected itself throughout the contracting process.\n       As appropriate, we conducted interviews of IRS personnel, requested documentation of\n       the contracts and procedures, and performed analysis.\n       A. Obtained all existing contracts and task orders for the CADE 2 Program and the\n          supporting projects.\n       B. Reviewed a judgmental sample of 6 of 19 contracts (issued in Fiscal Years 2010 and\n          2011) and determined whether the IRS obtained independent Government cost\n          estimates to ensure the contract costs were economically derived. We used a\n          judgmental sample because we were not planning to project our results.\n       C. Based on evidence received from the Office of Procurement, developed a cost savings\n          outcome measure related to the use of independent Government cost estimates.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: ELC and related IRS guidelines and the\nprocesses followed in the development of information technology projects. We evaluated these\ncontrols by conducting interviews and meetings with management and staff, attending meetings\nof the CADE 2 Program and project teams, and reviewing Program documentation such as the\nProgram Charter, various program plans, and other documents that provided evidence of whether\nELC systems development processes were followed.\n\n\n\n\n                                                                                        Page 18\n\x0c                            The Customer Account Data Engine 2\n                          Program Management Office Implemented\n                     Systems Development Guidelines; However, Process\n                    Improvements Are Needed to Address Inconsistencies\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDiana M. Tengesdal, Acting Director\nKimberly R. Parmley, Audit Manager\nWallace C. Sims, Lead Auditor\nSuzanne M. Westcott, Senior Auditor\nEsther M. Wilson, Senior Auditor\nDavid F. Allen, Program Analyst\n\n\n\n\n                                                                                     Page 19\n\x0c                            The Customer Account Data Engine 2\n                          Program Management Office Implemented\n                     Systems Development Guidelines; However, Process\n                    Improvements Are Needed to Address Inconsistencies\n\n\n                                                                           Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nChief, Agency-Wide Shared Services OS:A\nCommissioner, Wage and Investment Division SE:W\nDeputy Chief Information Officer for Strategy/Modernization OS:CTO\nAssociate Chief Information Officer, Modernization \xe2\x80\x93 Program Management Office\nOS:CTO:MP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Procurement OS:A:P\nDirector, Risk Management Division OS:CTO:SP:RM\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Wage and Investment Division SE:W:S:PRA:PEI\n       Director, Procurement OS:A:P\n       Director, Program Oversight OS:CTO:SP:RM\n\n\n\n\n                                                                                 Page 20\n\x0c                                The Customer Account Data Engine 2\n                              Program Management Office Implemented\n                         Systems Development Guidelines; However, Process\n                        Improvements Are Needed to Address Inconsistencies\n\n\n                                                                                          Appendix IV\n\n                                   Outcome Measure\n\nThis appendix presents detailed information on the measurable impact a prior recommendation\nhas had on tax administration. This benefit will be incorporated into our Semiannual Report to\nCongress.\n\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Cost Savings \xe2\x80\x93 Funds Put to Better Use \xe2\x80\x93 Actual: $11,537,356 (see page 4).\n\nMethodology Used to Measure the Reported Benefit:\nThe Federal Acquisition Regulation requires the initial negotiation position to be based on the\nresults of the contracting officer\xe2\x80\x99s analysis of the offeror\xe2\x80\x99s proposal, taking into consideration\ntechnical analysis, fact-finding results, and independent Federal Government cost estimates.1 In\na May 2005 audit report,2 the TIGTA determined that the IRS may not have been obtaining\nrequested services at a fair and reasonable cost because independent cost estimates were not\nrequired by modernization processes. It was recommended that the IRS promote consistent\napplication of best practices by obtaining independent cost estimates. Additionally, in a\nJuly 2007 audit report,3 the TIGTA reported an actual cost savings outcome measure resulting\nfrom the IRS obtaining an independent Government cost estimate.\nAs part of our current review, the IRS Office of Procurement provided written documentation\nthat it realized a cost savings of $11,537,356 from obtaining independent estimates from 2 of its\ncontracts. The cost savings originated from reductions in the scope for base and option years,\nlabor hours, and labor rates and a revision to the skill mix.4\n\n\n\n\n1\n  48 C.F.R. \xc2\xa7 15.406-1 (a) (Amended February 2009).\n2\n  While Many Improvements Have Been Made, Continued Focus Is Needed to Improve Contract Negotiations and\nFully Realize the Potential of Performance-Based Contracting (Reference Number 2005-20-083, dated\nMay 26, 2005).\n3\n  While Improvements Continue in Contract Negotiation Methods and Management Practices, Inconsistencies Need\nto Be Addressed (Reference Number 2007-20-123, dated July 27, 2007).\n4\n  Information obtained from the IRS Office of Procurement. The TIGTA did not verify the accuracy of this\ninformation.\n                                                                                                    Page 21\n\x0c                                  The Customer Account Data Engine 2\n                                Program Management Office Implemented\n                           Systems Development Guidelines; However, Process\n                          Improvements Are Needed to Address Inconsistencies\n\n\n                                                                                                 Appendix V\n\n                         Enterprise Life Cycle Overview\n\n The ELC is the IRS\xe2\x80\x99s standard approach to business change and information systems initiatives.\n It is a collection of program and project management best practices designed to manage business\n change in a successful and repeatable manner. The ELC addresses large and small projects\n developed internally and by contractors.\n The ELC includes such requirements as:\n     \xe2\x80\xa2    Development of and conformance to enterprise architecture.\n     \xe2\x80\xa2    Improving business processes prior to automation.\n     \xe2\x80\xa2    Use of prototyping and commercial software, where possible.\n     \xe2\x80\xa2    Obtaining early benefit by implementing solutions in multiple releases.\n     \xe2\x80\xa2    Financial justification, budgeting, and reporting of project status.\n In addition, the ELC improves the IRS\xe2\x80\x99s ability to manage changes to the enterprise; estimate the\n cost of changes; and engineer, develop, and maintain systems effectively. Figure 1 provides an\n overview of the phases and milestones within the ELC. A phase is a broad segment of work\n encompassing activities of similar scope, nature, and detail and providing a natural breakpoint in\n the life cycle. Each phase begins with a kickoff meeting and ends with an executive\n management decision point (milestone) at which IRS executives make \xe2\x80\x9cgo/no-go\xe2\x80\x9d decisions for\n continuation of a project. Project funding decisions are often associated with milestones.\n                    Figure 1: Enterprise Life Cycle Phases and Milestones\n\n                Phase                                  General Nature of Work                          Milestone\n Vision and Strategy/                  High-level direction setting. This is the only phase for\n                                                                                                           0\n Enterprise Architecture Phase         enterprise planning projects.\n Project Initiation Phase              Startup of development projects.                                    1\n                                       Specification of the operating concept, requirements, and\n Domain Architecture Phase                                                                                 2\n                                       structure of the solution.\n Preliminary Design Phase              Preliminary design of all solution components.                      3\n Detailed Design Phase                 Detailed design of solution components.                            4A\n Systems Development Phase             Coding, integration, testing, and certification of solutions.      4B\n                                       Expanding availability of the solution to all target users.\n System Deployment Phase                                                                                   5\n                                       This is usually the last phase for development projects.\n                                                                                                        System\n Operations and Maintenance Phase      Ongoing management of operational systems.\n                                                                                                       Retirement\nSource: The Enterprise Life Cycle Guide.\n\n                                                                                                         Page 22\n\x0c                                   The Customer Account Data Engine 2\n                                 Program Management Office Implemented\n                            Systems Development Guidelines; However, Process\n                           Improvements Are Needed to Address Inconsistencies\n\n\n                                                                                           Appendix VI\n\n     Customer Account Data Engine 2 Transition States\n\nFigures 1 through 4 present conceptual models of the As Is, Transition States 1 and 2, and\nTarget State processing flows for individual income tax accounts.\n                                        Figure 1: As Is Processing\n\n\n\n\n    Note: R2 CPE = Return to Current Processing Environment.1\n    Source: Customer Account Data Engine 2 Program 4th Quarter Briefing to the TIGTA, dated December 15, 2009.\n\n\n\n\n1\n    See Appendix IX for a glossary of terms.\n                                                                                                     Page 23\n\x0c                             The Customer Account Data Engine 2\n                           Program Management Office Implemented\n                      Systems Development Guidelines; However, Process\n                     Improvements Are Needed to Address Inconsistencies\n\n\n                      Figure 2: Transition State 1 Processing Plan\n\n\n\n\nNote: CFOL = Corporate Files On-line.\nSource: Customer Account Data Engine 2 Program 4th Quarter Briefing to the TIGTA, dated December 15, 2009.\n\n\n\n\n                                                                                                 Page 24\n\x0c                       The Customer Account Data Engine 2\n                     Program Management Office Implemented\n                Systems Development Guidelines; However, Process\n               Improvements Are Needed to Address Inconsistencies\n\n\n                Figure 3: Transition State 2 Processing Plan\n\n\n  Transition State 2\n  Single System - Customer Account Data Engine (daily)\n  Addresses Financial Material Weaknesses\n  Applications structured to use database\n  Downstream systems start to leverage database\n\n                                          Customer\n                   Input                  Account\n                Transactions                Data\n                                           Engine\n\n\n\n\n                                                                        Downstream\n                                                                         Systems\n                                         Target Database\n                                         Fully Populated\n\n\n\n\n                                                 Integrated Production Model\n\nSource: Customer Account Data Engine 2 Program 4th Quarter Briefing to the TIGTA, dated\nDecember 15, 2009.\n\n\n\n\n                                                                                          Page 25\n\x0c                        The Customer Account Data Engine 2\n                      Program Management Office Implemented\n                 Systems Development Guidelines; However, Process\n                Improvements Are Needed to Address Inconsistencies\n\n\n                    Figure 4: Target State Processing Plan\n\n\n\n\nSource: Customer Account Data Engine 2 Program 4th Quarter Briefing to the TIGTA,\ndated December 15, 2009.\n\n\n\n\n                                                                                    Page 26\n\x0c                                  The Customer Account Data Engine 2\n                                Program Management Office Implemented\n                           Systems Development Guidelines; However, Process\n                          Improvements Are Needed to Address Inconsistencies\n\n\n                                                                                            Appendix VII\n\n                 Transition State 1 Integration Reviews\n\n      Integration Review             Outcomes\n\n\n                                     The Integrated Management Planning Review validates that relationships\n   Integrated Management\n                                     and integration expectations between the Program and its projects are\n       Planning Review\n                                     appropriately defined and well understood.\n\n\n                                     The Integrated Requirements Review validates that the Program-level\n                                     requirements allocated to projects are in alignment with the Program\n          Integrated\n                                     solution; that Program-level requirements have been appropriately\n     Requirements Review\n                                     fulfilled through decomposition to project-level requirements; and that\n                                     all requirements dependencies are identified, supported, and fulfilled.\n\n\n                                     The Integrated Solution Planning Review validates that Program\n      Integrated Solution\n                                     strategies for solution design are aligned for the transition state solution.\n       Planning Review\n\n\n                                     The Integrated Logical Design Review validates that the project-level\n       Integrated Logical            designs support the solution\xe2\x80\x99s logical implementation as defined in the\n         Design Review               Program Roadmap and that the projects collectively will deliver an\n                                     integrated and cohesive solution.\n\n\n                                     The Integrated Physical Design Review validates that the project-level\n      Integrated Physical            designs support the solution\xe2\x80\x99s physical implementation as defined in the\n        Design Review                Program Roadmap and that the projects collectively will deliver an\n                                     integrated and cohesive solution.\n\nSource: IRS Customer Account Data Engine 2, 2nd Quarter Briefing to the TIGTA, dated July 14, 2010.\n\n\n\n\n                                                                                                      Page 27\n\x0c                                  The Customer Account Data Engine 2\n                                Program Management Office Implemented\n                           Systems Development Guidelines; However, Process\n                          Improvements Are Needed to Address Inconsistencies\n\n\n\n     Integration Review            Outcomes\n\n\n                                   The Integrated Test Planning Review validates that Program and\n      Integrated Test              project plans for testing the solution components individually and\n      Planning Review              the integrated Program solutions collectively are in alignment and\n                                   comprehensive.\n\n\n                                   The Integrated Test Readiness Review validates that solution\n      Integrated Test              components have been accurately and comprehensively tested at\n     Readiness Review              the Unit and Developer level and that the Program is ready to begin\n                                   testing of the integrated Transition State solution.\n\n\n                                   The Integrated Organizational Readiness Review validates that the\n        Integrated\n                                   Program understands the impact the solution has on the business\n      Organizational\n                                   and validates the organization\xe2\x80\x99s readiness to adopt the new\n     Readiness Review\n                                   solution.\n\n\n                                   The Integration Deployment Readiness Review validates that the\n                                   solution components; production environment; and plans for\n  Integrated Deployment            deployment, back-out, and operations are assessed against defined\n     Readiness Review              readiness criteria. The Program will make a \xe2\x80\x9cGo/No-Go\xe2\x80\x9d decision\n                                   based on the results of the Integrated Deployment Readiness\n                                   Review.\n\nSource: IRS Customer Account Data Engine 2, 2nd Quarter Briefing to the TIGTA, dated July 14, 2010.\n\n\n\n\n                                                                                                      Page 28\n\x0c                       The Customer Account Data Engine 2\n                     Program Management Office Implemented\n                Systems Development Guidelines; However, Process\n               Improvements Are Needed to Address Inconsistencies\n\n\n                                                                            Appendix VIII\n\n            The Customer Account Data Engine 2\n             High and Enhanced Requirements\n\nHigh and\nEnhanced\n Security     NIST 800-53\n Control        Security\n Number       Control Name     Requirement Description              Requirement Purpose\n                               The information system shall         Monitoring changes outside\n                Account\n    1                          monitor for atypical (abnormal)      approved maintenance\n               Management\n                               use of systems accounts.             windows.\n                                                                    Simplifies account\n                                                                    management to allow\n                               The information system shall         effective enforcement of\n                Account\n    2                          establish a role-based user          least privilege principles\n               Management\n                               account management process.          (i.e., the minimum\n                                                                    privileges needed to\n                                                                    perform job functions).\n                                                                    Existing Internal Revenue\n                               The information system shall\n                Account                                             Manual requirements must\n    3                          monitor and track privilege\n               Management                                           be in place for all IRS\n                               role(s) assignments.\n                                                                    systems.\n                               The information system shall         Selected to document\n                 Access\n    4                          store encrypted backups in a         control enhancement that is\n               Enforcement\n                               secure location.                     already in place.\n                               The information system shall\n              Previous Logon                                        Allows detection of\n                               notify the user, upon successful\n    5            (Access)                                           unauthorized account\n                               logon (access), of the date and\n                Notification                                        access.\n                               time of the last logon (access).\n                               The information system shall\n                               notify the user, upon successful\n              Previous Logon                                        Allows detection of\n                               logon/access, of the number of\n    6            (Access)                                           unauthorized account\n                               unsuccessful logon/access\n                Notification                                        access.\n                               attempts since the last successful\n                               logon/access.\n\n                                                                                        Page 29\n\x0c                      The Customer Account Data Engine 2\n                    Program Management Office Implemented\n               Systems Development Guidelines; However, Process\n              Improvements Are Needed to Address Inconsistencies\n\n\n\nHigh and\nEnhanced\n Security   NIST 800-53\n Control      Security\n Number     Control Name       Requirement Description               Requirement Purpose\n                               The information system shall          Intended to prevent loss of\n                               provide a warning when allocated      audit capabilities due to\n              Response to\n                               audit record storage volume           storage capacity being\n    7       Audit Processing\n                               reaches a defined percentage of       exceeded either\n               Failures\n                               maximum audit record storage          unintentionally or\n                               capacity.                             maliciously.\n                               The information system shall          Real-time alerts of\n              Response to      provide a real-time alert for         unauthorized access are\n    8       Audit Processing   intrusions and potential intrusions   necessary to minimize\n               Failures        to IRS networks by unauthorized       damage from an attacker\n                               individuals.                          or malicious user.\n                                                                     Real-time alerts of\n                               The information system shall\n              Response to                                            unauthorized access are\n                               provide a real-time alert for\n    9       Audit Processing                                         necessary to minimize\n                               unauthorized use or access to IRS\n               Failures                                              damage from an attacker\n                               resources.\n                                                                     or malicious user.\n                               The information system shall\n             Protection of     back up audit records at a defined\n                                                                     Intended to reduce the risk\n   10          Account         frequency onto a different system\n                                                                     of audit compromise.\n             Information       or media than the system being\n                               audited.\n                               The information system shall\n             Protection of                                           Intended to prohibit\n                               authorize access to management\n   11          Account                                               modification of audit\n                               of audit functionality to only a\n             Information                                             records by privileged users.\n                               limited subset of privileged users.\n                               The information system shall\n             Protection of     protect the audit records of          Intended to prohibit\n   12          Account         nonlocal accesses to privileged       modification of audit\n             Information       accounts and the execution of         records by privileged users.\n                               privileged functions.\n\n\n\n\n                                                                                         Page 30\n\x0c                                  The Customer Account Data Engine 2\n                                Program Management Office Implemented\n                           Systems Development Guidelines; However, Process\n                          Improvements Are Needed to Address Inconsistencies\n\n\n\n    High and\n    Enhanced\n     Security          NIST 800-53\n     Control             Security\n     Number            Control Name         Requirement Description               Requirement Purpose\n                                            The information system shall          Intended to prevent\n                                            limit information system              unauthorized changes to\n                            Access          developer/integrator privileges to    production systems.\n         13             Restrictions for    change hardware, software, and\n                           Change           firmware components and system\n                                            information directly within the\n                                            production environment.\n                                            The information system shall          Existing Internal Revenue\n                            Access          limit privileges to change            Manual requirements must\n         14             Restrictions for    software resident within software     be in place for all IRS\n                           Change           libraries (including privileged       systems.\n                                            programs).\n                                            The information system shall          Existing Internal Revenue\n                                            employ cryptographic                  Manual requirements must\n         15             Media Storage\n                                            mechanisms to protect                 be in place for all IRS\n                                            information in storage.               systems.\n                                            The information system shall use      Existing Internal Revenue\n                                            Federal Information Processing        Manual requirements must\n                            Use of\n         16                                 Standards validated cryptography      be in place for all IRS\n                         Cryptography\n                                            when cryptography is used to          systems.\n                                            protect information.\n                                            The information system shall          Intended to protect\n                                            provide a readily observable          administrative web\n                          Session\n         17                                 logout capability whenever            interfaces and prevent\n                         Authenticity\n                                            authentication is used to gain        unauthorized access to the\n                                            access to web pages.                  application/data.\n                                            The information system shall          Intended to prevent the\n                                            check incoming communications         introduction of malicious\n                           Boundary         to ensure that the communications     traffic or unauthorized\n         18\n                           Protection       are coming from an authorized         access by an external\n                                            source and routed to an               attacker.\n                                            authorized destination.\nSource: CADE 2 Program Transition State 1 National Institute of Standards and Technology 800-53 High and\nEnhanced Control Requirements Discussion UPDATE, dated November 24, 2010.\n\n\n                                                                                                      Page 31\n\x0c                             The Customer Account Data Engine 2\n                           Program Management Office Implemented\n                      Systems Development Guidelines; However, Process\n                     Improvements Are Needed to Address Inconsistencies\n\n\n                                                                                 Appendix IX\n\n                              Glossary of Terms\n\nTerm                  Definition\nAuthentication        The process of identifying an individual, usually based on a username\n                      and password.\nBusiness Rule         A statement that defines or constrains some aspect of the business (see\n                      Business Rule Sets).\nBusiness Rule Sets    A group of business rules related to a common topic or business\n                      decision.\nConfiguration         Serves as the change approval authority for all baseline products\nControl Board         developed at the Program and project levels.\nCorporate Files       A system that provides online transactional access to IMF and Business\nOn-Line               Master File data, Information Return Program data, and various other\n                      related data collections. These files are accessed via IRS-developed\n                      Customer Information Control System command codes.\nCritical Path         A sequence of activities that results in the completion of a project in the\n                      shortest period of time.\nCryptography          The conversion of data into a secret code for transmission over a public\n                      network.\nCurrent Processing    The IRS\xe2\x80\x99s existing entire information technology environment including\nEnvironment           business applications, data stores, data interfaces and processing flows,\n                      infrastructure, and information technology services, as well as involved\n                      organizations, locations, processes, policies, and people.\nCustomer Account      A major component of the IRS\xe2\x80\x99s Modernization Program. The system\nData Engine           consists of current and planned databases and related applications that\n                      work with the IRS Master File system (see Master File).\nDaily Processing      A project under the CADE 2 Program that, when completed, will change\nProject (CADE 2)      weekly individual taxpayer account processing to daily processing.\nDatabase              A project under the CADE 2 Program intended to implement the newest\nImplementation        version of the relational database.\nProject (CADE 2)\n\n                                                                                          Page 32\n\x0c                                   The Customer Account Data Engine 2\n                                 Program Management Office Implemented\n                            Systems Development Guidelines; However, Process\n                           Improvements Are Needed to Address Inconsistencies\n\n\nTerm                          Definition\nDelivery                      Provides Program management oversight and direction to the individual\nManagement Office             project offices. It coordinates and directs integration activities across\n                              supplier organizations to ensure projects are delivered on schedule and\n                              within budget. The office ensures that all component projects and\n                              affected applications or systems operate inter-dependently at deployment\n                              through assuring interfaces and impacts are clearly identified,\n                              engineered, and implemented.\nEnterprise                    A unifying overall design or structure for an enterprise that includes\nArchitecture                  business and organizational aspects of the enterprise as well as\n                              technology aspects. Enterprise Architecture divides the enterprise into\n                              its component parts and relationships and provides the principles,\n                              constraints, and standards to help align business area development\n                              efforts in a common direction. An Enterprise Architecture ensures that\n                              subordinate architectures and business system components developed\n                              within particular business areas and multiple projects fit together into a\n                              consistent, integrated whole.\nEnterprise Life Cycle A structured business systems development method that requires the\n                      preparation of specific work products during different phases of the\n                      development process.\nExecutive Steering            Committee with oversight responsibilities for investments, including\nCommittee                     validating major investment business requirements and ensuring that\n                              enabling technologies are defined, developed, and implemented.\nFinancial                     The Federal Financial Management Improvement Act of 1996 (FFMIA)1\nManagement System             established financial management systems requirements intended to\nRequirements                  advance Federal financial management by ensuring that Federal\n                              management systems can and do provide reliable, consistent disclosure\n                              of financial data. Agencies are required to determine whether their\n                              financial management systems comply with the law. If the financial\n                              systems do not comply (i.e., they contain financial material weaknesses),\n                              the agency is required to develop a remediation plan that describes the\n                              resources, remedies, and intermediate target dates for achieving\n                              compliance.\n\n\n\n\n1\n    Pub. L. No. 104-208, 110 Stat. 3009.\n                                                                                                  Page 33\n\x0c                             The Customer Account Data Engine 2\n                           Program Management Office Implemented\n                      Systems Development Guidelines; However, Process\n                     Improvements Are Needed to Address Inconsistencies\n\n\nTerm                  Definition\nFinancial Material    If an agency\xe2\x80\x99s financial management systems do not comply with the\nWeaknesses            Federal Financial Management Improvement Act of 1996, the systems\n                      contain financial material weaknesses. The agency must develop a\n                      remediation plan that describes the resources, remedies, and intermediate\n                      target dates for achieving compliance.\nFirmware              The fixed, usually rather small, programs that internally control various\n                      electronic devices.\nFramework             A structure that facilitates understanding of a complex topic by breaking\n                      the topic into multiple pieces or features, classifying the features,\n                      illustrating relationships between the features, and organizing them in a\n                      manner that facilitates visualization and practical usage.\nGovernance Board      Exists to ensure that the Program goals are achieved and that the\n                      Program and component projects are delivering within their defined\n                      scope, schedule, and budget. Additionally, the Governance Board\n                      approves risk response plans and milestone exits and resolves escalated\n                      issues.\nIndividual Master     The IRS database that maintains transactions or records of individual\nFile                  tax accounts.\nInfrastructure        The fundamental structure of a system or organization. The basic,\n                      fundamental architecture of any system (electronic, mechanical, social,\n                      political) determines how it functions and how flexible it is to meet\n                      future requirements.\nIntegrated Data       The IRS computer system capable of retrieving or updating stored\nRetrieval System      information; it works in conjunction with a taxpayer\xe2\x80\x99s account records.\nIntegrated            Intended to be a data store to meet IRS needs for data analytics and\nProduction Model      long-term reporting and as a source for other types of analytic data that\n                      supplement the transactional core data store.\nItem Tracking         An information system used to track and report on issues, risks, and\nReporting and         action items in the modernization effort.\nControl System\nMaster File           The IRS database that stores various types of taxpayer account\n                      information. This database includes individual, business, and employee\n                      plans and exempt organizations data.\n\n\n\n                                                                                         Page 34\n\x0c                                The Customer Account Data Engine 2\n                              Program Management Office Implemented\n                         Systems Development Guidelines; However, Process\n                        Improvements Are Needed to Address Inconsistencies\n\n\nTerm                     Definition\nMilestone                Scheduled time period for providing a \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision point in a\n                         program or project (can be associated with funding approval to proceed).\nNational Institute of    A nonregulatory Federal agency, within the Department of Commerce,\nStandards and            responsible for developing standards and guidelines, including minimum\nTechnology               requirements, for providing adequate information security for all\n                         Federal Government agency operations and assets.\nRational                 An application used for requirements management. The IRS has\nRequisitePro             established ReqPro as its Enterprise Architecture standard for\n                         requirements management. It is used to capture detailed requirement\n                         data such as the requirement text and any supporting attributes to\n                         organize or clarify the requirement. The application also has the\n                         capability to create and maintain full requirements traceability within a\n                         single project or across multiple projects.\nRelational Database      A collection of data items organized as a set of formally described tables\n                         from which data can be accessed or reassembled in many different ways\n                         without having to reorganize the database tables.\nRequirement              A formalization of a need and statement of a capability or condition that\n                         a system must have or meet to satisfy a contract, standard, or\n                         specification.\nSharePoint               A web-based repository that the IRS uses to store and control\n                         organizational products and documentation.\nStakeholders             An individual or organization that is materially affected by the outcome\n                         of the system. Key stakeholders represent both business and technical\n                         functions that fully participate in the architecture development effort to\n                         ensure that directional guidance is both accurate and sufficient. These\n                         stakeholders are empowered to make project and architectural decisions.\n                         Examples of project stakeholders include the customer, the user group,\n                         the project manager, the development team, and the testers.\nTraceability             Describes the life of a requirement from the initial source through its\n                         development and actual deployment into operations.\n\n\n\n\n                                                                                            Page 35\n\x0c              The Customer Account Data Engine 2\n            Program Management Office Implemented\n       Systems Development Guidelines; However, Process\n      Improvements Are Needed to Address Inconsistencies\n\n\n                                                 Appendix X\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                       Page 36\n\x0c        The Customer Account Data Engine 2\n      Program Management Office Implemented\n Systems Development Guidelines; However, Process\nImprovements Are Needed to Address Inconsistencies\n\n\n\n\n                                                 Page 37\n\x0c        The Customer Account Data Engine 2\n      Program Management Office Implemented\n Systems Development Guidelines; However, Process\nImprovements Are Needed to Address Inconsistencies\n\n\n\n\n                                                 Page 38\n\x0c                               The Customer Account Data Engine 2\n                             Program Management Office Implemented\n                        Systems Development Guidelines; However, Process\n                       Improvements Are Needed to Address Inconsistencies\n\xc2\xa0\n\n\nDraft Report - The Customer Account Data Engine 2 Program Management Office\nImplemented Systems Development Guidelines; However, Process Improvements Are\nNeeded to Address Inconsistencies 201020025\nRECOMMENDATION #4 The Chief Technology Officer should ensure all requirements and\nbusiness rules are identified and sufficiently traced, controlled, and managed in ReqPro prior to\ninitiating any CADE 2 system testing processes to ensure the system functions as designed when\ndeployed into IRS operations. This should include the Daily Processing and Database\nImplementation.\n\nCORRECTIVE ACTION #4: We agree with this recommendation and have already stood up a\nRequisitePro (ReqPro) Repository in November 2010 which contains requirements and business\nrules for the DP and DI projects. This repository is referred to as the CADE 2 Program ReqPro\nrepository. All requirements are traced vertically down the hierarchy. Requirements are also\ntraced horizontally to other disciplines such as CM, Design, etc through reference requirements.\nThe IA&E logical CADE 2ReqPro repository houses all infrastructure requirements, which\nincludes requirements for DI and DP. These requirements are traced to the CADE 2 Program\nReqPro repository through cross-project traceability.\n\nThe PMO also drafted a Program Requirements Management Plan (RMP) which outlined the\nprocesses of managing requirements and tracing requirements. There was a Program Integrated\nRequirements Review (PIRR) conducted in December 2010 to ensure that all requirements were\ntraced and complete in the CADE 2 Program repository. This also ensured that the cross-project\ntraceability existed between the IA&E Repository and the CADE 2 Program repository.\n\nThe Program efficiently and regularly monitors the data in the repository. The Program conducts\nan Integrated Requirements Team (IRT) meeting weekly, where we present metrics to all the\ndelivery partners. These metrics include requirements counts, requirements volatility,\nrequirements completeness, and untraced requirements. If there are requirements that are not\ntraced, an action is given to the project to establish the trace.\n\nIMPLEMENTATION DATE: Completed December 31, 2010.\n\nRECOMMENDATION #5 The Chief Technology Officer should implement controls to ensure\nthat CADE 2 Program stakeholders:\n          a. Cannot remove and work on requirements outside of ReqPro.\n          b. Use ReqPro to create, input, and control requirements.\n\nCORRECTIVE ACTION #5:\nWe agree with the spirit and intent of this recommendation and since the implementation of the\nCADE 2 Requirements repository, RADM requirements analysts have begun working directly in\nReqPro. Using ReqPro to input and control requirements are part of our approach to managing\n\n\n\n\n                                                                                             Page 39\n\x0c                               The Customer Account Data Engine 2\n                             Program Management Office Implemented\n                        Systems Development Guidelines; However, Process\n                       Improvements Are Needed to Address Inconsistencies\n\xc2\xa0\nDraft Report - The Customer Account Data Engine 2 Program Management Office\nImplemented Systems Development Guidelines; However, Process Improvements Are\nNeeded to Address Inconsistencies 201020025\nrequirements. However, prior to baselining the requirements, it was essential that IRS have a tool\nto create requirements prior to baselining them for configuration control. RADM provides\nbusiness-friendly tools (compatible with ReqPro) which enables creation of requirements which\ncan be imported into ReqPro. Requirements imported into ReqPro will be considered baselined.\nSince all requirements are baselined and are under CM control, all changes to requirements go\nthrough CRs. The program requirements team ensures that the requirements are input and\ncontrolled within ReqPro by using the CR Tracking spreadsheet. The CR tracking spreadsheet\nkeeps track of actions to create or update a requirement based on a CR. We ensure that these\nchanges are made in the ReqPro repository.\n\nThe capability to export requirements does exist; these reports are extracted for reporting\npurposes only and are not manipulated. We have also provided training to requirements analysts\nso they are comfortable working within ReqPro. We have a monthly User Group meeting which\ntrains users on advanced topics on the use of ReqPro.\n\nIMPLEMENTATION DATE: Completed December 31, 2010.\n\n\n\n\n                                                                                             Page 40\n\x0c'